June 8, 2023

I Am A Spammer

Ok, well not really. I’ve never once intentionally sent any spam emails before, and none of my websites collect emails or even send any out…. or so I thought that’s what they were doing.

Years ago (we’re talking 1999 here) I headed over to hotscripts and grabbed a generic form email script. This particular script was written by Dennis of DarkMix.net (which no longer exists anymore, so I assume Dennis had the same problem)

The problem was with the following lines of code that I just seemingly noticed:

$headers = "From: $Name <$Email> \n";

$headers .= "Reply-To: $Email\n";

$headers .= "X-Mailer: Darkmix Mail Sender\n";

$headers .= "X-Mailer-Version: 1.1";

I’m sure many of you can spot the problem. It’s very easy to add whatever I want to that header by entering a creative email address. Worse, this code didn’t use the $_POST or $_GET variables either. It relied on register globals.

Anyway, I caught this problem well over 6 months ago, and the site it was on isn’t even on the internet anymore. I was just reminded of it while perusing some old legacy code at my company and remembered that I’d forgotten to blog about this. All in all it only sent a few emails before I noticed something was funny. No harm no foul I suppose.

Let this be a lesson to those who release free code on hotscripts, as well as to those who blindly use code found from such repositories.

About Ryan Jones

Ryan Jones is an SEO from Detroit. By day he works as a manager of SEO & Analytics at SapientNitro where his team performs SEO for Fortune500 clients. By night he's either playing hockey or attempting to take over the world with his own websites - which he would have already succeeded in doing had it not been for those meddling kids and their dog. The views expressed here have not been paid for and belong only to Ryan, not any of his employers or clients. Follow Ryan on Twitter at: @RyanJones, add him on Google+ or visit his personal website: www.RyanMJones.com